Sample code for 30+ languages & platforms
Tcl

Rewrite PFX using AES256-SHA256

See more PFX/P12 Examples

Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

set pfx [new_CkPfx]

# Let's load a .pfx and examine the encryption algorithms used to protect the private key:
set success [CkPfx_LoadPfxFile $pfx "qa_data/pfx/test_secret.pfx" "secret"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    exit
}

# Examine the algorithms:

# "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?
puts "Algorithm: [CkPfx_algorithmId $pfx]"

# If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
# (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)
puts "Pbes2CryptAlg: [CkPfx_pbes2CryptAlg $pfx]"
puts "Pbes2HmacAlg: [CkPfx_pbes2HmacAlg $pfx]"

# Our output so far:

# Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
# Pbes2CryptAlg: aes256-cbc
# Pbes2HmacAlg: hmacWithSha256

# This tells us that the PFX we loaded was protected using triple-DES with SHA1.
# (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
# The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2".  We can ignore those values.

# Examine the last JSON data collected in the call to LoadPfxFile.  This gives us information about what is contained in the PFX, including extended attributes.
set json [new_CkJsonObject]

CkPfx_GetLastJsonData $pfx $json

CkJsonObject_put_EmitCompact $json 0
puts [CkJsonObject_emit $json]

# Sample output

# Use this online tool to generate parsing code from sample JSON: 
# Generate Parsing Code from JSON

# {
#   "authenticatedSafe": {
#     "contentInfo": [
#       {
#         "type": "Data",
#         "safeBag": [
#           {
#             "type": "pkcs8ShroudedKeyBag",
#             "attrs": {
#               "localKeyId": "16444216",
#               "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
#               "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
#             }
#           }
#         ]
#       },
#       {
#         "type": "EncryptedData",
#         "safeBag": [
#           {
#             "type": "certBag",
#             "attrs": {
#               "localKeyId": "16444216"
#             },
#             "subject": "....",
#             "serialNumber": "9999999999999999999999999999"
#           },
#           {
#             "type": "certBag",
#             "attrs": {
#               "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
#               "friendlyName": "XYZ",
#               "enhKeyUsage": [
#                 {
#                   "oid": "1.3.6.1.5.5.7.3.2",
#                   "usage": "clientAuth"
#                 },
#                 {
#                   "oid": "1.3.6.1.5.5.7.3.4",
#                   "usage": "emailProtection"
#                 },
#                 {
#                   "oid": "1.3.6.1.5.5.7.3.3",
#                   "usage": "codeSigning"
#                 },
#                 {
#                   "oid": "1.3.6.1.5.5.7.3.8",
#                   "usage": "timeStamping"
#                 },
#                 {
#                   "oid": "1.3.6.1.4.1.311.10.3.4",
#                   "usage": "encryptedFileSystem"
#                 },
#                 {
#                   "oid": "1.3.6.1.5.5.8.2.2",
#                   "usage": "iKEIntermediate"
#                 },
# 
#                 {
#                   "oid": "1.3.6.1.5.5.7.3.6",
#                   "usage": "ipsecTunnel"
#                 },
#                 {
#                   "oid": "1.3.6.1.5.5.7.3.7",
#                   "usage": "ipsecUser"
#                 },
#                 {
#                   "oid": "1.3.6.1.5.5.7.3.5",
#                   "usage": "ipsecEndSystem"
#                 }
#               ]
#             },
#             "subject": "...",
#             "serialNumber": "8888888888888888888888888888"
#           },
#           {
#             "type": "certBag",
#             "subject": "...",
#             "serialNumber": "777777777777777777777777777"
#           }
#         ]
#       }
#     ]
#   }
# }

# ------------------------------------------------------------------------------------------
# OK... now let's change the AlgorithmId to "pbes2" 

CkPfx_put_AlgorithmId $pfx "pbes2"

# We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
# Let's set them anyway just for the example...
CkPfx_put_Pbes2CryptAlg $pfx "aes256-cbc"
CkPfx_put_Pbes2HmacAlg $pfx "hmacWithSha256"

# Rewrite the PFX using pbes2/aes256 + sha256
set success [CkPfx_ToFile $pfx "secret" "qa_output/test_secret_aes256.pfx"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    delete_CkJsonObject $json
    exit
}

puts "Success."

delete_CkPfx $pfx
delete_CkJsonObject $json